lint: sync rules with mysqljs/mysql

mysqljs · Jan 21, 2020 · acc02c4 · acc02c4
1 parent 14e4c05
commit acc02c4
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 1 deletion.
diff --git a/.eslintrc b/.eslintrc
@@ -33,9 +33,11 @@
     "no-regex-spaces": 2,
     "no-sparse-arrays": 2,
     "no-trailing-spaces": 2,
+    "no-undef": 2,
     "no-unexpected-multiline": 2,
     "no-unreachable": 2,
     "no-unused-vars": 2,
+    "one-var": ["error", { "initialized": "never" }],
     "quotes": [2, "single", { "avoidEscape": true, "allowTemplateLiterals": true }],
     "semi": [2, "always"],
     "semi-spacing": 2,

diff --git a/README.md b/README.md
@@ -16,7 +16,7 @@ $ npm install sqlstring
 
 ## Usage
 
-<!-- eslint-disable no-unused-vars -->
+<!-- eslint-disable no-undef, no-unused-vars -->
 
 ```js
 var SqlString = require('sqlstring');
@@ -32,6 +32,8 @@ In order to avoid SQL Injection attacks, you should always escape any user
 provided data before using it inside a SQL query. You can do so using the
 `SqlString.escape()` method:
 
+<!-- eslint-disable no-undef -->
+
 ```js
 var userId = 'some user provided value';
 var sql    = 'SELECT * FROM users WHERE id = ' + SqlString.escape(userId);
@@ -41,6 +43,8 @@ console.log(sql); // SELECT * FROM users WHERE id = 'some user provided value'
 Alternatively, you can use `?` characters as placeholders for values you would
 like to have escaped like this:
 
+<!-- eslint-disable no-undef -->
+
 ```js
 var userId = 1;
 var sql    = SqlString.format('SELECT * FROM users WHERE id = ?', [userId]);
@@ -51,6 +55,8 @@ Multiple placeholders are mapped to values in the same order as passed. For exam
 in the following query `foo` equals `a`, `bar` equals `b`, `baz` equals `c`, and
 `id` will be `userId`:
 
+<!-- eslint-disable no-undef -->
+
 ```js
 var userId = 1;
 var sql    = SqlString.format('UPDATE users SET foo = ?, bar = ?, baz = ? WHERE id = ?',
@@ -87,6 +93,8 @@ Different value types are escaped differently, here is how:
 
 You may have noticed that this escaping allows you to do neat things like this:
 
+<!-- eslint-disable no-undef -->
+
 ```js
 var post  = {id: 1, title: 'Hello MySQL'};
 var sql = SqlString.format('INSERT INTO posts SET ?', post);
@@ -95,6 +103,8 @@ console.log(sql); // INSERT INTO posts SET `id` = 1, `title` = 'Hello MySQL'
 
 And the `toSqlString` method allows you to form complex queries with functions:
 
+<!-- eslint-disable no-undef -->
+
 ```js
 var CURRENT_TIMESTAMP = { toSqlString: function() { return 'CURRENT_TIMESTAMP()'; } };
 var sql = SqlString.format('UPDATE posts SET modified = ? WHERE id = ?', [CURRENT_TIMESTAMP, 42]);
@@ -108,6 +118,8 @@ placeholder, useful for using functions as dynamic values:
 **Caution** The string provided to `SqlString.raw()` will skip all escaping
 functions when used, so be careful when passing in unvalidated input.
 
+<!-- eslint-disable no-undef -->
+
 ```js
 var CURRENT_TIMESTAMP = SqlString.raw('CURRENT_TIMESTAMP()');
 var sql = SqlString.format('UPDATE posts SET modified = ? WHERE id = ?', [CURRENT_TIMESTAMP, 42]);
@@ -117,6 +129,8 @@ console.log(sql); // UPDATE posts SET modified = CURRENT_TIMESTAMP() WHERE id =
 If you feel the need to escape queries by yourself, you can also use the escaping
 function directly:
 
+<!-- eslint-disable no-undef -->
+
 ```js
 var sql = 'SELECT * FROM posts WHERE title=' + SqlString.escape('Hello MySQL');
 console.log(sql); // SELECT * FROM posts WHERE title='Hello MySQL'
@@ -127,6 +141,8 @@ console.log(sql); // SELECT * FROM posts WHERE title='Hello MySQL'
 If you can't trust an SQL identifier (database / table / column name) because it is
 provided by a user, you should escape it with `SqlString.escapeId(identifier)` like this:
 
+<!-- eslint-disable no-undef -->
+
 ```js
 var sorter = 'date';
 var sql    = 'SELECT * FROM posts ORDER BY ' + SqlString.escapeId(sorter);
@@ -135,6 +151,8 @@ console.log(sql); // SELECT * FROM posts ORDER BY `date`
 
 It also supports adding qualified identifiers. It will escape both parts.
 
+<!-- eslint-disable no-undef -->
+
 ```js
 var sorter = 'date';
 var sql    = 'SELECT * FROM posts ORDER BY ' + SqlString.escapeId('posts.' + sorter);
@@ -144,6 +162,8 @@ console.log(sql); // SELECT * FROM posts ORDER BY `posts`.`date`
 If you do not want to treat `.` as qualified identifiers, you can set the second
 argument to `true` in order to keep the string as a literal identifier:
 
+<!-- eslint-disable no-undef -->
+
 ```js
 var sorter = 'date.2';
 var sql    = 'SELECT * FROM posts ORDER BY ' + SqlString.escapeId(sorter, true);
@@ -153,6 +173,8 @@ console.log(sql); // SELECT * FROM posts ORDER BY `date.2`
 Alternatively, you can use `??` characters as placeholders for identifiers you would
 like to have escaped like this:
 
+<!-- eslint-disable no-undef -->
+
 ```js
 var userId = 1;
 var columns = ['username', 'email'];
@@ -168,6 +190,8 @@ When you pass an Object to `.escape()` or `.format()`, `.escapeId()` is used to
 You can use `SqlString.format` to prepare a query with multiple insertion points,
 utilizing the proper escaping for ids and values. A simple example of this follows:
 
+<!-- eslint-disable no-undef -->
+
 ```js
 var userId  = 1;
 var inserts = ['users', 'id', userId];
@@ -184,6 +208,8 @@ location-specific/timezone-aware `Date`.
 This can be further combined with the `SqlString.raw()` helper to generate SQL
 that includes MySQL functions as dynamic vales:
 
+<!-- eslint-disable no-undef -->
+
 ```js
 var userId = 1;
 var data   = { email: 'foobar@example.com', modified: SqlString.raw('NOW()') };